Forensic Analysis :using TSK and Volatility
A bit about Me• Mark Bennett
• Work for Check Point Software.
• Incident Response/Forensics for Health Care– Firewalls– Malware analysis– Intrusion Prevention– HR/Legal– Watching over the enterprise
• SANS Instructor– http://www.sans.org– http://www.darknet-consulting.com– http://www.pauldotcom.com
Agenda• Metasploit
– How to use it– What can you do with it
• Making Forensic copies– Copying memory– Copy Hard drive
• Timeline analysis– How to create– How to read
• Memory analysis– Strings– Volatility
• See it live• Wrap up
Metasploit
Metasploit – cont.
Mandiant Memoryze
Using dd for bit-by-bit copies
fls - bodyfile
mactime - timeline
Timeline Analysis
Memory Analysis
Volatility – memory analysis
Live Demo
Let’s Do it for Real!!!
Questions/Comments
??????????????????????????????????
Wrap UP
• Mark Bennett– http://www.sans.org/mentor
• 508 Advanced Forensic Analysis• 408 Windows Forensics• 504 Incident Response
– http://www.darknet-consulting.com– http://www.pauldotcom.com– Hack Labs – Metasploit
• Be good, be safe, if you are going to hack, hack legally and responsibly – I’m Out!
THANK YOU FOR ATTENDING